Security Experts:

N.C. Dermatology Center Discovers Hacked Server Two Years After Attack

In another cowardly Friday afternoon data breach disclosure, Chapel Hill, N.C.-based Central Dermatology Center said that one of its servers was breached by hackers back in August of 2012, but that it has just become aware of the breach.

The company said that on September 25, 2014 it became aware that one of its servers had been compromised by malware, sparking them to immediately call in forensic experts to identify the malware and resulting fallout.

In addition to not discovering the breach until roughly two years later, the company acknowledged that they are not sure exactly what data the attackers may have gotten their hands on.

“The information on the server that may or may not have been accessed included patients' name, address, phone numbers, date of birth, social security number, billing and diagnostic codes, insurance company, insurance co-payment information, healthcare provider, employer information, sex, treatment date, account balance, email address, and race,” the company said in a breach disclosure announcement Friday afternoon.

“The investigation revealed that the attack occurred on or about August 9, 2012 despite safeguards in place, including software on the server designed to prevent such malware,” the company said.

Contacted by SecurityWeek, a company spokesperson declined to comment on the type of malware discovered or the security software that was installed on the server.

The announcement continued:

Based on Central's forensic investigation to date, it is believed that patient bank account and payment card information were not compromised and electronic medical records were not on this server as they were encrypted by Central prior to the malware being placed on the server.

Responding to a subsequent inquiry as to why the company decided to make the announcement on a Friday afternoon, an unamed company spokesperson provided the following response: "Being thorough is what was required and its what our patients expect and deserve. While the investigation is ongoing, today was the day we were able to provide our patients with valuable information."

While this incident stemmed from a malicious attack, a study recently released by security firm Bitglass on healthcare data breaches showed that 68 percent of the breaches since 2010 occurred because devices or files were lost or stolen. Only 23 percent were due to hacking, the study found. In the breaches analyzed, 48 percent of the incidents involved a laptop, mobile device or desktop. 

According to Mandiant's 2014 M-Trends report, Mandiant’s investigations found that breaches were discovered in 229 days on average in 2013 vs. 243 in 2012. While these improvements are a positive, it still means attackers are still spending 2/3rds of the year inside an organization’s network before being discovered.

view counter
For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.